The Office of the Attorney General (OAG) for the state of New York today said a months-long investigation into credential-stuffing operations uncovered some 1.1 million consumer online accounts that had been compromised in such attacks.

The stolen credentials belonged to consumers of 17 "well-known" online retail businesses, restaurant chains, and food delivery services, according to the OAG's office. Most of the businesses had been unaware of the attacks prior to the OAG's reporting them, and were advised on how to better lock down customer accounts and ensure their accounts were secured with new passwords and security controls. 

Credential-stuffing is a wildly popular — and easy — method for attackers, who run tools that automate the process of using pilfered usernames and passwords across multiple online services in order to find accounts that reuse the same password. Password reuse is a common misstep among consumers weary of creating new passwords for each online account.

"Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users' personal information stand in jeopardy," said NY Attorney General Letitia James. "Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy."

The OAG also published a report, "Business Guide for Credential Stuffing Attacks," that explains these types of attacks and how to protect against them.

Read more here.